Overview
Next.js is a popular open-source React framework that simplifies the development of server-rendered, static, and dynamic web applications by providing built-in features like routing, code splitting, and API routes.
When image optimization is enabled, repeated access of an image could lead to excessive CPU consumption and denial of service.
A Denial of Service (DoS) attack, as outlined by OWASP, is focused on making a resource (site, application, or server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. If a service receives a very large number of requests, it may cease to be available to legitimate users. In the same way, a service may stop if a programming vulnerability is exploited, or the way the service handles resources it uses.
Details
Module Info
Product: Next.js
Affected packages: Next.js
Affected versions: <=14.2.6
GitHub Repo: https://github.com/vercel/next.js
Published packages: Next.js
Package manager: npm
Vulnerability Info
This medium-severity vulnerability is found in the main distribution of Next.js in versions lower than or equal to 14.2.6.
Addressing the Issue
Users of the affected components should apply one of the following mitigations:
- Ensure that the next.config.js file has either images.unoptimized, images.loader or images.loaderFile assigned.
- Upgrade to a version of the framework that isn’t susceptible to the exploit.
- Sign up for post-EOL security support; HeroDevs customers get immediate access to a patched version of this software.
Credit(s)
- Brandon Dahler (brandondahler), AWS
- Dimitrios Vlastaras